CP
cyberpings
Threat IntelHIGH

Trivy Supply Chain Attack - New Compromised Docker Images Found

IMInfosecurity Magazine
TrivyAqua SecurityTeamPCPDockerGitHub Actions
🎯

Basically, hackers compromised Docker images used for software development, putting many projects at risk.

Quick Summary

Aqua Security's Trivy vulnerability scanner faces a serious threat as new compromised Docker images are discovered. Developers using these images in CI/CD pipelines must act quickly to mitigate risks. The TeamPCP threat group is behind this attack, highlighting the ongoing challenges in securing software supply chains.

The Threat

On March 19, 2026, a significant supply chain attack was launched against Aqua Security's Trivy vulnerability scanner. This attack involved the injection of credential-stealing malware into official Docker images, specifically versions 0.69.4, 0.69.5, and 0.69.6. The malware is linked to the TeamPCP threat group, known for its malicious activities, including credential theft and more. Security researchers from Socket discovered that these compromised images were distributed through Docker Hub after attackers gained access via a GitHub Actions compromise.

The newly compromised images were uploaded on March 22, 2026, without corresponding GitHub releases, raising alarms about the integrity of the software. The presence of indicators of compromise (IOC) associated with the TeamPCP infostealer was confirmed in these images, indicating a serious escalation in the attack.

Who's Being Targeted

The attack primarily affects organizations using Trivy in their CI/CD pipelines. Developers relying on these Docker images for vulnerability scanning are at risk, as the compromised versions could lead to unauthorized access and data breaches. The incident has extended beyond just Docker images; it has implications for the integrity of development environments and the security of software supply chains.

Security teams are urged to review their recent CI/CD scans and consider them potentially compromised. The attack also briefly exposed an internal GitHub organization linked to Aqua Security, leading to unauthorized changes in dozens of repositories.

Tactics & Techniques

The attackers utilized a compromised service account token to gain access to multiple GitHub organizations. This method allowed them to rename and make public many repositories in a scripted burst, suggesting a high level of automation in their approach. The malicious binaries in the compromised Docker images contained typosquatted command-and-control (C2) domains and exfiltration files, indicating a sophisticated level of planning and execution.

The TeamPCP group has expanded its operations beyond credential theft to include ransomware deployment, cryptocurrency mining, and even destructive attacks targeting Kubernetes environments. This broadening of tactics signifies a heightened threat level and the need for organizations to remain vigilant.

Recommended Actions

Organizations using Trivy should take immediate steps to mitigate risks. Here are some recommended actions:

  • Review CI/CD pipeline activity: Check for any unusual or unauthorized scans.
  • Update Docker images: Ensure that only clean versions of Trivy are used.
  • Monitor repositories: Keep an eye on any changes in your GitHub repositories that could indicate unauthorized access.
  • Educate teams: Ensure that development teams are aware of the risks and know how to identify potential threats.

Aqua Security has confirmed that their commercial products remain unaffected, but the situation is fluid, and ongoing investigations are crucial to understanding the full impact of this incident.

🔒 Pro insight: Analysis pending for this article.

Original article from

Infosecurity Magazine

Read Full Article

Share

Related Pings

HIGHThreat Intel

Threat Intel - Faster Attacks and Recovery Denial Ransomware

Mandiant's latest report reveals a shift in ransomware tactics and faster cyberattacks. Organizations must adapt to these evolving threats to protect their recovery systems. The implications are significant, as attackers increasingly target critical infrastructure.

CSO Online·
HIGHThreat Intel

Phishing Campaign - Attackers Target Multiple Sectors

A phishing campaign is targeting critical sectors like healthcare and education with fake copyright notices. This poses a serious risk of data breaches. Organizations must act quickly to safeguard sensitive information.

Dark Reading·
HIGHThreat Intel

High-Tech Sector - Overtakes Finance as Cyber Attack Target

In a surprising turn, the high-tech sector has become the top target for cyber-attacks in 2025, surpassing finance. This shift raises concerns for tech companies and their data security. Mandiant's report highlights the need for enhanced cybersecurity measures across industries.

Infosecurity Magazine·
HIGHThreat Intel

Iranian Hackers - Using Telegram for Data Theft Operations

Iranian hackers are using Telegram to target dissidents and journalists. The FBI warns of their deceptive tactics and the potential for significant data theft. Awareness and vigilance are crucial to counter these threats.

TechCrunch Security·
HIGHThreat Intel

Threat Intel - Mandiant's Insights on Evolving Cyber Threats

Mandiant's M-Trends 2026 report reveals how cyber threats are evolving. Organizations face increased risks from ransomware and voice phishing tactics. Understanding these trends is vital for improving security measures and defending against sophisticated attacks.

Mandiant Threat Intel·
HIGHThreat Intel

Threat Intel - Aqua Security Repositories Defaced by TeamPCP

Aqua Security's GitHub repositories were defaced after a supply chain attack involving malicious Trivy images. The breach exposed sensitive developer data and internal tools, raising significant security concerns.

Security Affairs·